Pages

2 June 2018

Are DoD’s cyber forces too focused on the network?

Cyber Command’s primary mission is defense of the Department of Defense Information Networks, but some believe they might need to expand beyond DoD’s networks. Regarding the aiming point for DoD, “we have spent years and years focused on infrastructure. Routers, switches, servers and making sure that’s right. We know how to do that, we have policies and regulations on how to do that and it’s done very well,” Col. Paul Craft, director of operations at Joint Force Headquarters-DoDIN, the DoD’s global operational defensive unit, said May 16 at the AFCEA Defensive Cyber Operations symposium in Baltimore, Maryland. “We need to shift because that’s not the only thing the information network is. It’s also our platform IT; it’s also all of our programs of record; it’s also our [industrial control systems] ICS and [supervisory control and data acquisition] SCADA systems; it’s also the cloud; it’s also all of our crossdomains that we have out in the network.”

Current and former officials acknowledge that given the ubiquity of connectivity and the threat vectors that poses, cyber defense might need to move beyond just “the network.”

“The way our cyber mission force is structured, they’re focused on a lot of skills that are related to IP-type networks as far as general understanding of cybersecurity concepts, those sorts of things, but it could be some type of control system that is under threat,” Capt. James Mills, chief of staff Fleet Cyber Command/10th Fleet, said at the same conference.

“That may be a completely different technology basis; it may have some other expertise that’s required.”

Some have said that DoD has overlooked defense outside of the DoDIN for several years.

“If you look at DoD’s information systems protection over the years … they’ve tended to focus on protecting what they believe is most important, which is the DoDIN and all the associated or affiliated networks of various security levels,” Marty Edwards, former director of the Industrial Control Systems Cyber Emergency Response Team at DHS, told Fifth Domain.

He added that these systems have been overlooked and could be of far greater consequence.

Defending at the local level

Edwards, who is now with the Automation Federation, said military installations are like small cities with a fairly extensive electricity grid to deliver electricity to the various facilities on base.

At this local installation level, the military relies on local defenders, which are classic IT-type personnel, as well as contractors that run the ICS and SCADA system. DoD’s high-end cyber defenders, called cyber protection teams, serve as cyber SWAT teams and can be mobilized in the event of a cyber incident to aid these local defenders.

The Air Force is rolling out the next phase of its initiative that aims to protect the critical Air Force-specific missions that ensure cyber threats are thwarted.

This was something that was gamed during 2017’s capstone training event for Cyber Command called Cyber Flag.

Fifth Domain got an exclusive look at Cyber Flag, a military exercise focused on training and validating the Cyber Mission Forces capabilities and readiness.

“I think that making sure that DoD installations, environments and the associated commands have a good understanding of what their landscape looks like and where their vulnerabilities lie is pretty important,” Edwards said.

Edwards also explained how at Idaho National Labs they would conduct training on defending an ICS, often with DoD personnel in attendance. These courses would involve simulating the ICS, including the hardware systems necessary to create such an environment. Blue teams would have to defend these mock environments against red team attackers.

Transitioning from defending IT systems to operational technology systems like ICS requires extra training, meaning forces cannot just seamlessly transition from one to the other. Understanding the intricacies and makes ups of all these types of networks requires training as every network is not the same.

“At each base there is so much stuff, I don’t believe at this point that cyber protection teams could parachute in effectively,” Greg Touhill, currently the president of Cyxtera, a secure infrastructure company, said.

“You almost have to have a tailored approach for each installation and have those CPTs, or whatever unit Cyber Command is going to designate, to have familiarity well before an emergency happens ... and they need to practice, practice, practice.”

Who’s in charge

At the national level, there has been an ongoing debate surrounding incident response and what federal entity is in charge of what. The Department of Homeland Security has been tasked with the responsibility of being the point agency for incident response; however, DoD can be called upon through a mechanism called defense support to civil authorities.

A new Government Accountability Office report found the Department of Defense still has work to do when it comes to roles, responsibilities and training as it pertains to support national cyber incidents.

“We’ve got some issues that need to be addressed by both the executive and the legislative branches on that. Franky this boils down to a roles and missions discussion,” Touhill, formerly the chief information security officer, CISO, deputy assist secretary of cybersecurity and communications at DHS and an Air Force brigadier general, told Fifth Domain.

One-trick ponies

Craft said it’s important to ensure DoD’s forces aren’t focused on doing one thing well at the expense of neglecting other important threat vectors or doors to the broader network that could impact business operations, healthcare operations or DoD operations to include kinetic components.

“Our goal is that we take a grander approach: we open the aperture up and we don’t just consider infrastructure in its totality as the one thing that we’ve got to make sure we defend,” he said.

“There are more things that we have to consider and we are going through that process now within the DoD.”

Edwards said he is optimistic about the direction DoD has taken recently.

“For many, many years all of these so-called operational systems sat outside of the accreditation boundaries for DoD networks, so they weren’t subject to the same information security procedures that the information networks were,” he said.

“Now we’ve seen the office of the secretary of defense starting to issue guidance to the different bases that they need to include these systems in their risk assessments, they need to get a full asset inventory of these systems and the criticality of the services they deliver.”